Companies forced to clarify NSA links after Snowden leak claims

Focus on ties to US National Security Agency dominates conference keynotes

RSA chairman Art Coviello: RSA ‘not involved’ in colluding with surreptitious surveillance of citizens. photograph: david paul morris/ getty images
RSA chairman Art Coviello: RSA ‘not involved’ in colluding with surreptitious surveillance of citizens. photograph: david paul morris/ getty images

The fallout from the ongoing leaks of secret documents by Edward Snowden have dominated keynote talks and many of the major presentations at the world's largest annual security conferences this week.

At the RSA conference, which has seen record attendance, keynote presenters with companies accused of facilitating access to data for the US National Security Agency (NSA) were forced into addressing the issue.

Usually, keynotes by RSA and its major sponsor companies focus on more typical subjects such as forecasting security trends and introducing new products or services.

RSA chairman Art Coviello opened the conference last Tuesday with a keynote speech that discussed, directly and indirectly, allegations from late last year that RSA had a secret, $10 million contract with the NSA. It was claimed in documents from Snowden that the arrangement involved supplying deliberately flawed encryption in one of its widely used products, enabling the NSA to conduct surveillance.

READ MORE


Worked with NSA
While he did not discuss the matter of the paid contract, Coviello argued that, like many security organisations in the US, RSA has worked with the defensive arm of the NSA – known as the Information Assurance Directorate – and was not involved in colluding with the surreptitious surveillance of citizens and other governments revealed by whistleblower Edward Snowden.

The NSA has two divisions, one that focuses on defensive monitoring of threats to the US communications infrastructure, and one that works on covert intelligence gathering.

Coviello called for the break- up of the NSA into two separate organisations.

He also noted that unwarranted spying was an international problem, and that all security agencies worldwide must not overstep their role.

In his keynote speech, Microsoft's corporate vice-president of trustworthy computing, Scott Charney, denied the company had built hidden "back doors" in any of its products to facilitate government snooping.

Doing so would be "economic suicide" for the company, he sad. He also emphasised that Microsoft had never complied with any requests from the NSA for bulk data. Instead, he said, it would only respond to single requests that went through established legal channels.

Both Charney and Coviello called for new “norms” and principles for the industry that would clarify the relationship between the US government and private companies. Coviello said the industry needed to collaborate to support privacy and protect intellectual property rights, and also take on the threat of cyberwarfare.

Nawaf Bitar, senior vice- president and general manager of the security business unit at Juniper Networks, called for focused industry effort and cooperation to improve security and privacy protections in his keynote.

He said the real problem to be addressed was “apathy” – that people generally do not care enough about privacy or security.

He complained that the security industry itself was under attack and needed to fight back against hackers but also, government snooping.

“Our industry is under attack from all manner of foes: criminal organisations, corporate thieves, hostile governments, friendly governments. Haven’t we reached our breaking point? When will we say, ‘Enough is enough?’”


First world outrage
But retweeting, hitting a "like" button on Facebook, or staging a boycott of the conference, as some organisations had done as a result of the Snowden claims about RSA and other companies, was "first world outrage" that did little to address the real issues, he said.

In the cryptographer’s panel, a longstanding feature of the conference, four well- known cryptographers also reflected on the implications of Snowden’s leaks.

Ron Rivest, a founder of RSA (and the R in the company name) said he had been shocked to learn that the NSA, which was supposed to be working in trust with the security industry to protect against hacking and surveillance, was involved in "the poisoning of the well" by allowing for back doors in computer code that was supposed to set national security standards.


Disturbing
"The most disturbing thing for me was that the NSA would tamper with security guidance to the US government. I believed they were 100 per cent interested in security" for those using those standards, the eminent cryptographer Whitfield Diffie said.

“That puts on us the tremendous additional burden of having to vet and make sure [code and standards] are not tampered with.”

Rivest said t the leaks from both Snowden and Chelsea Manning and the criminalising of these whistleblowers showed that “existing whistleblower guidelines are not adequate, and we need to make a mechanism for people to debate these things.

“We’re still trying to understand the role government should be playing in the privacy of its citizens.”

Karlin Lillington

Karlin Lillington

Karlin Lillington, a contributor to The Irish Times, writes about technology